postfix-users@postfix.org: difference between "verify" and "secure"

Mon, 05 Mar 2012 10:26:40 -0800 

Hi,

I'm on Postfix 2.5.6 and implementing TLS. I'm having difficulties to
understand the difference between "verify" and "secure".

What I've got on the client side:

/etc/hosts:
        192.168.1.1 s2.mydomain.de

/etc/postfix/main.cf
        disable_dns_lookups = yes
        smtp_tls_loglevel = 2
        smtp_use_tls = yes
        smtp_enforce_tls = no
        smtp_tls_CApath = /etc/ssl/certs
        transport_maps = hash:/etc/postfix/transport
        smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

/etc/postfix/transport:
        test1.prv smtp:[s2.mydomain.de]

/etc/postfix/tls_policy:
        [s2.mydomain.de]    verify

On the server side I've got an SSL key and a certificate for that key
signed by Thawte. The CN is s1.mydomain.de. Note the difference between
s1 (key and certificate) and s2 (in the client configuration). This has
been configured deliberately to explore the difference between "secure"
and "verify".

My expectation was that "verify" would work (certificate chain checks
out) but "secure" would not (CN does not match next hop).

Instead, "verify" doesn't work too:

==================================================================
setting up TLS connection to s2.mydomain.de[192.168.1.1]:25

s2.mydomain.de[192.168.1.1]: TLS cipher list ...

s2.mydomain.de[192.168.1.1]:25: certificate verification depth=2
verify=1 subject=/C=US/O=thawte, Inc./...
s2.mydomain.de[192.168.1.1]:25: certificate verification depth=1
verify=1 subject=/C=US/O=Thawte, Inc./...
s2.mydomain.de[192.168.1.1]:25: certificate verification depth=0
verify=1 subject=/O=s1.mydomain.de/.../CN=s1.mydomain.de

s2.mydomain.de[192.168.1.1]:25: Trusted subject_CN=s1.mydomain.de,
issuer_CN=Thawte DV SSL CA

Trusted TLS connection established to s2.mydomain.de[192.168.1.1]:25:
TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA ...

366AE26E2B: to=<t...@test1.prv>, relay=s2.mydomain.de[192.168.1.1]:25,
..., dsn=4.7.5, status=deferred (Server certificate not verified)
==================================================================

So my understanding of the difference between "verify" and "secure"
seems to be wrong. Could someone please explain this?

Regards,
Robert

Reply via email to